0

I'm try to prevent any user from seeing the contents of the file, "x.txt", located on my server.

So far, I have done the following:

  1. Blocked users from directly accessing the file using .htaccess

  2. One of my pages uses an ajax request to get the contents of the file and stores it in a variable.

  3. User's input is compared to contents of the file through an if(x==y) statement.

Is is possible that users of my site could access this sensitive data?

user939687
  • 45
  • 7
  • 3
    I don't think you ever want to store sensitive data in plain text no matter how much security you have. – Jared Dec 07 '14 at 01:14
  • Why do you think did you see these nice pictures of some stars' iCloud Accounts lately? Of course it is possible to access your sensitive data. As @jrod mentioned, you don't want to do this like that – baao Dec 07 '14 at 01:21
  • I'm just asking conceptually. But, of course, I'm going to be encrypting the data. – user939687 Dec 07 '14 at 01:22
  • You have not mentioned what webserver you are using -- however every webserver have security holes and zero-day exploits are always possible -- so assume that the file can always be accessed by somebody sufficiently clever if it exist on the machine – Soren Dec 07 '14 at 01:22
  • What step would reveal the data? – user939687 Dec 07 '14 at 01:22
  • There is another [SO question](http://stackoverflow.com/questions/14570831/can-i-encrypt-my-json-data) very simillar to your question that could help. BSON = binary JSON would help that it is not easily readable. – AWolf Dec 07 '14 at 01:23
  • Are you asking for a list of all the security holes which has not yet been found? – Soren Dec 07 '14 at 01:23
  • AJAX = anyone that overrides _XMLHttpRequest_ before your code is interpreted can gain access.. or anyone who knows how to open their console. – Paul S. Dec 07 '14 at 01:27
  • Other than attacking my server, I just want to known if the data can be seen, as in can they use Chrome's developer tools to read the contents of the AJAX'd file and will the user be able to see all of the values of every variable? – user939687 Dec 07 '14 at 01:29
  • Yes, it is possible for user to review the full transcript and content of any AJAX call using dev tools. – Nathan Dec 07 '14 at 01:44
  • What is the purpose of storing a secret key in the client? You could have the server instead perform a one-way hash given a client seed and then share that value with the client for reuse/verification. This would keep the secret on the server, while providing a unique value with the client which does not reveal the secret. – Nathan Dec 07 '14 at 01:54
  • You should also consider storing the private key separate of the public web space (in some file system location above/outside of DocumentRoot) – Nathan Dec 07 '14 at 01:58

1 Answers1

1

If an ajax call can get the data, then any rogue or customized script can also get the data via the same ajax call and it only takes an elementary look at your web page to see what the ajax call is that gets the data. Or, anyone who just opens the Chrome developer tools and looks at the network tab can see the contents of all ajax calls made by the browser.

In addition, anyone who knows how to use a browser debugger can watch anything your code does (like storing ajax contents into a variable) so even encryption over the wire doesn't prevent someone seeing your data who is at the receiving browser.

If you want your server data to be secure, you will need a different design.

The secure way to test user input vs. some secret on the server is to send the client data to the server and have the server compare the client data to the server master and thus never send the server data to the client.

Think of it like a password. You'd never send the master password to the client and have the client compare what the user entered. Instead, you'd send what the client typed to the server and have the server do the comparison securely. This same approach will protect your data.

jfriend00
  • 683,504
  • 96
  • 985
  • 979